From 349aeeab7c5e878ddc6c0c95a0a937476816c43e Mon Sep 17 00:00:00 2001
From: John Starks <jostarks@microsoft.com>
Date: Fri, 15 Jun 2018 15:36:10 -0700
Subject: [PATCH] lcow: Allow the client to add or remove capabilities

Signed-off-by: John Starks <jostarks@microsoft.com>
---
 daemon/caps/{utils_unix.go => utils.go} |  2 --
 daemon/oci.go                           | 31 +++++++++++++++++++++++++
 daemon/oci_linux.go                     | 25 --------------------
 daemon/oci_windows.go                   | 10 ++++++--
 4 files changed, 39 insertions(+), 29 deletions(-)
 rename daemon/caps/{utils_unix.go => utils.go} (99%)
 create mode 100644 daemon/oci.go

diff --git a/daemon/caps/utils_unix.go b/daemon/caps/utils.go
similarity index 99%
rename from daemon/caps/utils_unix.go
rename to daemon/caps/utils.go
index 4c18b28be5..c5ded542ef 100644
--- a/daemon/caps/utils_unix.go
+++ b/daemon/caps/utils.go
@@ -1,5 +1,3 @@
-// +build !windows
-
 package caps // import "github.com/docker/docker/daemon/caps"
 
 import (
diff --git a/daemon/oci.go b/daemon/oci.go
new file mode 100644
index 0000000000..f3a556c617
--- /dev/null
+++ b/daemon/oci.go
@@ -0,0 +1,31 @@
+package daemon // import "github.com/docker/docker/daemon"
+
+import (
+	"github.com/docker/docker/container"
+	"github.com/docker/docker/daemon/caps"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func setCapabilities(s *specs.Spec, c *container.Container) error {
+	var caplist []string
+	var err error
+	if c.HostConfig.Privileged {
+		caplist = caps.GetAllCapabilities()
+	} else {
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
+		if err != nil {
+			return err
+		}
+	}
+	s.Process.Capabilities.Effective = caplist
+	s.Process.Capabilities.Bounding = caplist
+	s.Process.Capabilities.Permitted = caplist
+	s.Process.Capabilities.Inheritable = caplist
+	// setUser has already been executed here
+	// if non root drop capabilities in the way execve does
+	if s.Process.User.UID != 0 {
+		s.Process.Capabilities.Effective = []string{}
+		s.Process.Capabilities.Permitted = []string{}
+	}
+	return nil
+}
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 9b39a64ee7..37e289934b 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -13,7 +13,6 @@ import (
 
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
-	"github.com/docker/docker/daemon/caps"
 	daemonconfig "github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/oci"
 	"github.com/docker/docker/pkg/idtools"
@@ -249,30 +248,6 @@ func setNamespace(s *specs.Spec, ns specs.LinuxNamespace) {
 	s.Linux.Namespaces = append(s.Linux.Namespaces, ns)
 }
 
-func setCapabilities(s *specs.Spec, c *container.Container) error {
-	var caplist []string
-	var err error
-	if c.HostConfig.Privileged {
-		caplist = caps.GetAllCapabilities()
-	} else {
-		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
-		if err != nil {
-			return err
-		}
-	}
-	s.Process.Capabilities.Effective = caplist
-	s.Process.Capabilities.Bounding = caplist
-	s.Process.Capabilities.Permitted = caplist
-	s.Process.Capabilities.Inheritable = caplist
-	// setUser has already been executed here
-	// if non root drop capabilities in the way execve does
-	if s.Process.User.UID != 0 {
-		s.Process.Capabilities.Effective = []string{}
-		s.Process.Capabilities.Permitted = []string{}
-	}
-	return nil
-}
-
 func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error {
 	userNS := false
 	// user
diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go
index f00ab3363d..d3631b9d92 100644
--- a/daemon/oci_windows.go
+++ b/daemon/oci_windows.go
@@ -211,7 +211,9 @@ func (daemon *Daemon) createSpec(c *container.Container) (*specs.Spec, error) {
 		if !system.LCOWSupported() {
 			return nil, fmt.Errorf("Linux containers on Windows are not supported")
 		}
-		daemon.createSpecLinuxFields(c, &s)
+		if err := daemon.createSpecLinuxFields(c, &s); err != nil {
+			return nil, err
+		}
 	default:
 		return nil, fmt.Errorf("Unsupported platform %q", img.OS)
 	}
@@ -336,12 +338,16 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
 // Sets the Linux-specific fields of the OCI spec
 // TODO: @jhowardmsft LCOW Support. We need to do a lot more pulling in what can
 // be pulled in from oci_linux.go.
-func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spec) {
+func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spec) error {
 	if len(s.Process.Cwd) == 0 {
 		s.Process.Cwd = `/`
 	}
 	s.Root.Path = "rootfs"
 	s.Root.Readonly = c.HostConfig.ReadonlyRootfs
+	if err := setCapabilities(s, c); err != nil {
+		return fmt.Errorf("linux spec capabilities: %v", err)
+	}
+	return nil
 }
 
 func escapeArgs(args []string) []string {